[shallot_router]

>There are also things like Kaspersky previously volunteering to provide complete source access to the government. Our government declined the offer. How does this make sense?

First, even if they were giving access to their genuine source code repository, there's absolutely no guarantee that the binaries aren't backdoored by Kaspersky, FSB, or both. Alternatively, they could just hand over a phony copy of the source.

It's kind of a pointless offer. There's no real reason to deny, but there's also no reason to accept. If the fear is that their products might be influenced or backdoored by hostile intelligence agencies, the only reasonable solution is a total boycott.

(And yes, I very much understand the exact same could be said of the NSA and a lot of US-made software.)

[indubitable]

The same code compiled by the same compiler with the same settings compiles to the same binaries. So you can indeed verify that what you're running and what you have the source code to are indeed one and the same.

For that matter, they could still do that to this day. Pick the time frame that the alleged hack happened and examine the source. And again you can compare the binary output to ensure that you actually have the real thing.

[shallot_router]

In practice, this isn't really possible, though. The binary is usually going to be slightly different. In theory you could RE the differences and potentially disprove a backdoor, but it's not easy.

Also, it's not necessarily that hard to slip a very subtle backdoor into the source.